FIN scanning

["Michael B. Rash" <mbr () math umd edu>]

I am using nmap (which is a great program BTW; thank you Fyodor) to scan a
host and the -sF option conducts a FIN (stealth) scan against the target
which of course comes back with _many_ more "open" ports than the vanilla
connect() scans.  "Open" here means that a RST was not received in
response to the FIN packet.

My question is this:  since mounting an application layer exploit against
a box will require that you can communicate over some port with regular
connect() calls, what good are FIN scans?  You may identify ports that are
'open' with respect to FIN packets, but to actually mount an exploit
against a machine/application (other than some odd-ball FIN DoS attack or 
something), you will need to use connect() calls anyway so why not simply
use vanilla TCP connect() scanning instead?  Note that doing some 
preliminary searching on bugtraq and couple of other sources come up with
no exploits using FIN packets.  All references seem to point to using FIN
packets exclusively for scanning.  What am I missing?
                                                                               

--Mike                        | "...Audiences know what to expect and that
http://www.math.umd.edu/~mbr  | is all they are prepared to believe in..."     

P.S.  'hello'